Malicious hackers are increasingly targeting security vulnerabilities in open-source software that runs bulletin boards and online forums, according to Internet monitoring firm Netcraft.
The unpatched holes, in open-source software like phpBB, PostNuke, and Mambo are being used to take control of powerful servers for denial of service attacks and phishing scams.
Poor deployment of security patches by administrators and the growing popularity of programs like phpBB are to blame, Netcraft said.
On Jan. 30, a bulletin board run by chip maker AMD was compromised by hackers and was used to distribute malicious code.
Those who visited the site, forums.amd.com, were prompted to download a file that exploited a recently patched vulnerability in Windows code used to process WMF (Windows Meta File) format image files, according to anti-virus firm F-Secure Inc. in Helsinki.
An AMD spokesperson said the problem was identified and resolved on Jan. 30.
The company does not know of any bulletin board users who were infected after visiting the site, she said.
The exploit on AMDs bulletin board used an HTML iFRAME command to direct victims to a malicious Website, tooldollars.biz, that installed malicious downloader programs, said Ken Dunham, director of malicious code research at iDefense in Reston, Va.
iDefense has documented a surge in reports of vulnerabilities in bulletin boards and similar applications in the last two years, Dunham said.
One problem is the large number of holes in PHP, a computer scripting language that is commonly used in Web development.
Open-source products like phpBB use the PHP language to create online forums that integrate with backend databases like MySQL and Oracle.
Holes in PHP applications have become more enticing targets as those applications have gained in popularity online, Dunham said.
The increasing involvement of organized crime in hacking has also increased interest in online bulletin boards because they are an excellent tool for distributing malicious code, as the AMD hack illustrates, Dunham said.
“Its about exposure and opportunity. If you hack a bulletin board or a blog, lots of visitors come to that site,” he said.
Netcraft said that compromised Web forums were used to host more than 600 phishing Web sites in 2005.
In December, 2004, the Santy Worm spread across the Internet by compromising a hole in the phpBB Web forum software.
Santy and the ongoing interest in vulnerable phpBB installations prompted Microsoft to block queries for the term “phpBB” through its MSN Search engine in the wake of the worm, a company spokesperson said.
Microsoft has also been contacting IPs who host infected phpBB systems so that they can be patched, she said.
However, the number of Web sites using phpBB increased 79 percent in the second half of 2005, despite the security threat, NetCraft reported.
In November 2005, the SANS Institute listed PHP-based applications as one of the organizations Top 20 security vulnerabilities for the year.
SANS cited the widespread vulnerabilities in PHP, as well as remote code execution and SQL injection vulnerabilities in PHP applications and software libraries.
Security holes in PHP applications underscore the danger that low-profile “shareware” applications can pose to enterprise security, Dunham said.
Often those applications, which are free to download and use, run on corporate networks without oversight.
However, they can be just as damaging as commercial applications if they are compromised by hackers and used to spread malicious code, or steal sensitive information, Dunham said.
“Its so complicated today. Its difficult to…recognize whats a high risk and what isnt. The little application thats a mosquito can easily turn into a security behemoth,” he said.